The IP Security (“IPSec”) protocol suite (e.g., as defined by the Internet Engineering Task Force (IETF) request for comments (RFC) 4301) is a collection of protocols layered on top of standard IP implementations in an attempt to provide layers of security to network traffic. One such protocol is Encapsulated Security Payload (“ESP”) (e.g. as defined by IETF RFC 4303), wherein packets belonging to a connection to be secured are encrypted and inserted as a payload into a packet destined for a downstream device that will decrypt the payload and further forward or process the original packet. This coordination between encrypting and decrypting devices involves periodic “re-keying” of the connection such that the key(s) used in the encryption/decryption process are agreed upon by both devices.
Encrypting the traffic, however, does not fully secure the connection against all forms of attack. For example, according to one form of attack known as a “replay attack,” a malicious user may intercept one or more encrypted packets (e.g., packets associated with a user authentication process) from the secured connection and “replay” the packets to the decrypting node at a later time (e.g., to falsely authenticate the malicious user). To combat this type of attack, ESP provides an anti-replay feature whereby the encrypting node includes a sequence number on each packet. The decrypting node then checks each received packet to make sure that the sequence number is not lower than an window of sequence numbers expected based on the last received sequence number. If a packet is received with a sequence number that falls below the expected window, the packet is discarded. Thus, the sequence number verification provides protection against any replay attack in IPSec/ESP connections and other connections that implement such an anti-replay feature.